Koji 1.23.1 Release notes¶
All changes can be found at pagure. Most important changes are listed here.
Migrating from Koji 1.23¶
No special actions are needed.
PR#2579: Install into /usr/lib rather than /usr/lib64/
Security Fixes¶
web: XSS vulnerability
CVE-2020-15856 - Web interface can be abused by XSS attack. Attackers can supply subversive http links containing malicious javascript code. Such links were not controlled properly, so attackers can potentially force users to submit actions which were not intended. Some actions which can be done via web UI can be destructive, so updating to this version is highly recommended.
System Changes¶
Revert “timezones for py 2.7”
We’ve returned some behaviour which prevented time operations on py 2.7
Library Changes¶
lib: better argument checking for eventFromOpts
eventFromOpts
can now properly parse after
and before
arguments.
Hub Changes¶
hub: use CTE for build_references
This should improve kojira’s performance in some cases.
Builder Changes¶
mergerepo uses workdir as tmpdir
Until now mergerepo used /tmp instead of workdir. It could lead to space exhaustion if there is not enough space there. Workdir gets cleaned more often.
Web Changes¶
disable links to deleted tags
Only redirect back to HTTP_REFERER if it points to kojiweb
Utilities Changes¶
kojira: don’t expire ignored tags with targets
Ignored tags’ repos were expired even in case when they’ve had targets. It is fixed now and ignored tags are really ignored.
kojira: cache external repo timestamps by arch_url
Fix of bug which could have missed some split repositories updates.
Documentation Changes¶
assign multicall to “m” in code example
api docs
python support matrix